Bug 480169 (CVE-2008-5844)

Summary: CVE-2008-5844 php: change to the FILTER_UNSAFE_RAW in 5.2.7 breaks magic_quotes_gpc
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5844
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-23 16:48:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-01-15 15:26:42 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5844 to the following vulnerability:

PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW functionality,
and unintentionally disables magic_quotes_gpc regardless of the actual
magic_quotes_gpc setting, which might make it easier for context-dependent
attackers to conduct SQL injection attacks and unspecified other attacks.

References:
http://bugs.php.net/bug.php?id=42718
http://securitytracker.com/alerts/2008/Dec/1021393.html
http://www.php.net/releases/5_2_8.php
http://www.php.net/ChangeLog-5.php#5.2.8
Comment 1 Tomas Hoger 2009-01-23 16:48:05 UTC 
This issue is specific to PHP version 5.2.7.  It was introduced in the following commit:
http://cvs.php.net/viewvc.cgi/php-src/ext/filter/filter.c?r1=1.52.2.42&r2=1.52.2.43

The issue was noticed shortly after 5.2.7 release and reverted in:
http://cvs.php.net/viewvc.cgi/php-src/ext/filter/filter.c?r1=1.52.2.43&r2=1.52.2.44

PHP 5.2.7 was replaced by fixed 5.2.8:
http://www.php.net/archive/2008.php#id2008-12-07-1
http://www.php.net/archive/2008.php#id2008-12-08-1

Affected PHP version was never shipped in any Red Hat product version or Fedora.